New Splunk Plugin and Audit files

Summary

Customers can now measure compliance against Splunk with new plugin ID 166550 on Tenable.io and Nessus. This plugin will be published with a new credential type: Splunk API. This plugin retrieves target data using the Splunk REST API and will evaluate actual values against a given audit policy. All data retrieval and communication is over the Splunk REST API. SSH is not needed or used for the Splunk compliance plugin.

Additional Notes

Two DISA STIG audits will be released along with the plugin:

• Splunk Enterprise 8.x for Linux
• Splunk Enterprise 7.x for Windows

Example audit structure

<check_type: "Splunk">

<custom_item>

  type                   : REST_API

  description        : "Splunk Server Settings"

  request              : "SplunkGetServerSettings"

  json_transform  : ".entry[].content.enableSplunkWebSSL"

  regex                 : "(true|false)"

  expect                : "true"

</custom_item>

</check_type>

The 'request' tag references specific API endpoints for data retrieval. The 'json_transform' tag selects specific parts of returned data. Regex and expect tags will further filter and evaluate the data for a passing or failing result.

Target Release Date

January 16, 2023